CN112866192B - Method and device for identifying abnormal aggregation behaviors - Google Patents
Method and device for identifying abnormal aggregation behaviors Download PDFInfo
- Publication number
- CN112866192B CN112866192B CN202011614290.0A CN202011614290A CN112866192B CN 112866192 B CN112866192 B CN 112866192B CN 202011614290 A CN202011614290 A CN 202011614290A CN 112866192 B CN112866192 B CN 112866192B
- Authority
- CN
- China
- Prior art keywords
- mobile phone
- phone card
- call
- card
- determining
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
Abstract
The application relates to the technical field of communication anti-fraud, in particular to a method and a device for identifying abnormal gathering behaviors, which are used for acquiring call tickets in a set area reported by a call management platform; respectively aiming at each mobile phone card in a call ticket, determining each call track point of the mobile phone card according to each call time recorded in the call ticket by any mobile phone card and a corresponding base station identifier, and determining a call track curve of the mobile phone card in a set area according to each call track point; according to the call track curve of each mobile phone card, performing clustering analysis on each mobile phone card to obtain each clustered class; judging whether the number of the mobile phone cards contained in each clustered class is within a preset number range, and determining that abnormal aggregation behaviors of the mobile phone cards occur in the classes within the number range, so that the identification of the abnormal aggregation behaviors of the mobile phone cards in a fixed position or a vehicle-mounted mobile scene can be realized.
Description
Technical Field
The present application relates to the technical field of communication anti-fraud, and in particular, to a method and an apparatus for identifying abnormal aggregation behavior.
Background
At present, the number of illegal molecules using GOIP for fraud is increasing. The GOIP is actually a multi-card multi-standby device that is based on the internet and enables a plurality of mobile phone cards to be in standby at the same time. A user can insert a plurality of mobile phone cards into 1 GOIP and connect the GOIP through mobile phone application, so that 1 person can simultaneously operate the plurality of mobile phone cards in different places by using 1 mobile phone to make a call, meanwhile, the GOIP can be arranged on an automobile by illegal persons and is refitted into a mobile vehicle-mounted cloud phone, and the situation that a fraud behavior is identified due to too many calls under the same base station is avoided.
In the prior art, when an abnormal aggregation behavior is identified, mobile phone cards with unchanged position information are filtered out, and then base stations are clustered. However, the identification method in the prior art can only identify the abnormal clustering behavior with fixed position, but cannot identify the novel abnormal clustering behavior such as the vehicle-mounted cloud phone.
Disclosure of Invention
The embodiment of the application provides a method and a device for identifying abnormal aggregation behaviors, so as to realize identification of the abnormal aggregation behaviors of a mobile phone card in a fixed position or a vehicle-mounted mobile scene.
The embodiment of the application provides the following specific technical scheme:
a method of identifying anomalous aggregate behavior comprising:
acquiring a call ticket in a set area reported by a call management platform, wherein the call ticket comprises a card number identifier corresponding to at least one mobile phone card, call time and a base station identifier of a base station to which the mobile phone card belongs;
respectively aiming at each mobile phone card, determining each call track point of the mobile phone card according to each call time recorded in the call ticket by any mobile phone card and the corresponding base station identifier, and determining a call track curve of the mobile phone card in the set area according to each call track point;
according to the call track curve of each mobile phone card, performing cluster analysis on each mobile phone card to obtain each clustered class;
judging whether the number of the mobile phone cards contained in each clustered class is within a preset number range or not, and determining that abnormal clustering behaviors occur in each mobile phone card in the classes within the number range.
Optionally, determining each call track point of the mobile phone card according to each call time recorded in the call ticket of each base station by any mobile phone card and the corresponding base station identifier, specifically including:
determining the latitude and longitude information of a base station corresponding to the base station identification according to the base station identification recorded in the call ticket by any mobile phone card;
and determining each call track point of the mobile phone card according to each call time and corresponding longitude and latitude information recorded in the call ticket by the mobile phone card.
Optionally, determining a call track curve of the mobile phone card in the set area according to the call track points, specifically including:
and performing curve fitting on each call track point by adopting a least square method, and determining a call track curve of the mobile phone card in the set area.
Optionally, performing cluster analysis on each mobile phone card to obtain each clustered class, specifically including:
selecting longitude and latitude information corresponding to each preset time point from a call track curve of any one mobile phone card as each sampling point of the mobile phone card respectively aiming at each mobile phone card;
determining distance values between each mobile phone card and other mobile phone cards according to each sampling point of each mobile phone card, taking each mobile phone card corresponding to the minimum distance value as a class, and taking other mobile phone cards as each class respectively;
pre-merging two classes in each class obtained currently, respectively calculating the distance value between the pre-merged class and other classes according to each sampling point of each mobile phone card, taking the pre-merged class corresponding to the minimum distance value as each class obtained next time until a preset number of classes are obtained, and taking the obtained preset number of classes as each class of final clustering.
Optionally, determining distance values between each mobile phone card and other mobile phone cards according to each sampling point of each mobile phone card, and regarding each mobile phone card corresponding to the minimum distance value as a class, specifically including:
and respectively aiming at each mobile phone card, determining each distance value between each sampling time and each other mobile phone card of the mobile phone card according to each sampling point corresponding to any mobile phone card, determining the average value of the distances between the mobile phone card and each other mobile phone card according to each determined distance value, and taking each calculated average value of the distances as the distance value between the mobile phone card and each other mobile phone card.
An apparatus to identify anomalous aggregate behavior comprising:
the system comprises an acquisition module, a call management platform and a processing module, wherein the acquisition module is used for acquiring a call ticket in a set area reported by the call management platform, and the call ticket comprises a card number identifier corresponding to at least one mobile phone card, call time and a base station identifier of a base station to which the mobile phone card belongs;
the determining module is used for determining each call track point of the mobile phone card according to each call time and corresponding base station identification recorded in the call ticket of any mobile phone card aiming at each mobile phone card respectively, and determining a call track curve of the mobile phone card in the set area according to each call track point;
the clustering module is used for carrying out clustering analysis on each mobile phone card according to the call track curve of each mobile phone card to obtain each clustered class;
and the identification module is used for judging whether the number of the mobile phone cards contained in each clustered class is within a preset number range or not, and determining that each mobile phone card has abnormal aggregation behavior in the classes within the number range.
Optionally, when determining each call track point of the mobile phone card according to each call time and corresponding base station identifier recorded in the call ticket of each base station by any mobile phone card, the determining module is specifically configured to:
determining the latitude and longitude information of a base station corresponding to the base station identification according to the base station identification recorded in the call ticket by any mobile phone card;
and determining each call track point of the mobile phone card according to each call time and corresponding longitude and latitude information recorded in the call ticket by the mobile phone card.
Optionally, when determining the call track curve of the mobile phone card in the set area according to the call track points, the determining module is specifically configured to:
and performing curve fitting on each call track point by adopting a least square method, and determining a call track curve of the mobile phone card in the set area.
Optionally, the mobile phone cards are subjected to clustering analysis, and when the clustered mobile phone cards are obtained, the clustering module is specifically configured to:
selecting longitude and latitude information corresponding to each preset time point from a call track curve of any one mobile phone card as each sampling point of the mobile phone card respectively aiming at each mobile phone card;
determining distance values between each mobile phone card and other mobile phone cards according to each sampling point of each mobile phone card, taking each mobile phone card corresponding to the minimum distance value as a class, and taking other mobile phone cards as each class respectively;
pre-merging two classes in each class obtained currently, respectively calculating the distance value between the pre-merged class and other classes according to each sampling point of each mobile phone card, taking the pre-merged class corresponding to the minimum distance value as each class obtained next time until a preset number of classes are obtained, and taking the obtained preset number of classes as each class of final clustering.
Optionally, when the distance value between each mobile phone card and each other mobile phone card is determined according to each sampling point of each mobile phone card, and each mobile phone card corresponding to the minimum distance value is taken as a class, the clustering module is specifically configured to:
and respectively aiming at each mobile phone card, determining each distance value between each sampling time and each other mobile phone card of the mobile phone card according to each sampling point corresponding to any mobile phone card, determining the average value of the distances between the mobile phone card and each other mobile phone card according to each determined distance value, and taking each calculated average value of the distances as the distance value between the mobile phone card and each other mobile phone card.
An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the steps of the above method of identifying anomalous aggregation behaviour when executing said program.
A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the above-mentioned method of identifying anomalous aggregation behaviour.
In the embodiment of the application, a call ticket in a set area reported by a call management platform is obtained, the call ticket comprises a card number identifier corresponding to at least one mobile phone card, call time and a base station identifier of a base station to which the mobile phone card belongs, each call track point of the mobile phone card is determined according to each call time and the corresponding base station identifier recorded in the call ticket by any one mobile phone card, a call track curve of the mobile phone card in the set area is determined according to each call track point, cluster analysis is performed on each mobile phone card according to the call track curve of each mobile phone card, each clustered class is obtained, whether the number of the mobile phone cards contained in each clustered class is within a preset number range is judged, abnormal clustering behaviors of each mobile phone card are judged, therefore, the call track curve of each mobile phone card is determined at first, each mobile phone card is clustered based on the call track curve of each mobile phone card, and then whether each mobile phone card in each clustered class has abnormal clustering behaviors occurs or not is identified, and the problem that the mobile phone cards cannot be clustered in abnormal clustering behaviors under a non-fixed mobile phone position scene can be completely solved. In addition, since the identification is performed based on the call track curve of the mobile phone card in the embodiment of the application, compared with a method for determining whether the abnormal clustering behavior occurs only based on the position information of the base station in the prior art, the accuracy of identifying the abnormal clustering behavior can be improved.
Drawings
FIG. 1 is a schematic diagram of a GOIP in the prior art;
FIG. 2 is a flow chart of a method of identifying anomalous aggregate behavior in an embodiment of the present application;
FIG. 3 is a schematic diagram of a call trajectory curve in an embodiment of the present application;
FIG. 4 is a schematic diagram illustrating an effect of clustering mobile phone cards in an embodiment of the present application;
FIG. 5 is another flow chart of a method of identifying anomalous aggregate behavior in an embodiment of the application;
FIG. 6 is a schematic structural diagram of an apparatus for identifying abnormal aggregation behavior in an embodiment of the present application;
fig. 7 is a schematic structural diagram of an electronic device in an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
At present, more and more illegal molecules are cheating by utilizing the GOIP. Overseas people are in line with each other through a network layer, domestic illegal persons deploy GOIP in domestic, and the overseas people make calls to implement fraud, as shown in figure 1, which is a schematic diagram of the GOIP in the prior art, the GOIP is a device which is provided with a plurality of lines and can be provided with a plurality of mobile phone cards, supports the access of the mobile phone cards, converts traditional telephone signals into network signals and realizes the simultaneous communication of a plurality of mobile phone numbers. The user can insert 1 GOIP into a plurality of mobile phone cards and connect the GOIP through the application of the mobile phone, so that 1 person can use 1 mobile phone to simultaneously operate the mobile phone cards in different places to make a call. The telecommunication phishing group usually utilizes equipment such as GOIP and the like to establish a service point, provides telephone traffic technical support for telecommunication phishing activities, and can hide a real number. A significant feature of GOIP is location aggregation, i.e., hundreds of cards may talk on the same base station.
In the process that the illegal person continuously confronts the wind control system, the fact that a card frequently calls can be easily identified by the wind control system and then is shut down is summarized. Based on this, illegal molecules want a method to avoid, after a plurality of cards are deployed, the cards are used in turn to dial, and statistics is made, only within 10 telephones can be dialed out by one card in one day, and 1 number can be dialed in 1 hour on average.
Meanwhile, the GOIP can be arranged on an automobile by an illegal person and is changed into a mobile vehicle-mounted cloud telephone, so that the situation that a fraud behavior is identified due to too many calls under the same base station is avoided.
In the prior art, when an abnormal clustering behavior is identified, mobile phone cards with unchanged position information are filtered out, and then base stations are clustered. However, the identification method in the prior art can only identify the abnormal clustering behavior with fixed position, and cannot identify the novel abnormal clustering behavior of the vehicle-mounted cloud phone.
In order to solve the above problems, an embodiment of the present application provides a method for identifying an abnormal aggregation behavior, a call ticket in a set area reported by a call management platform is obtained, the call ticket includes a card number identifier corresponding to at least one mobile phone card, a call time, and a base station identifier of a base station to which the mobile phone card belongs, for each mobile phone card, each call track point of the mobile phone card is determined according to each call time and a corresponding base station identifier recorded in the call ticket by any mobile phone card, a call track curve of the mobile phone card in the set area is determined according to each call track point, each mobile phone card is subjected to cluster analysis according to the call track curve of each mobile phone card, each clustered class is obtained, whether the number of the mobile phone cards included in each clustered class is within a preset number range is determined, and whether each mobile phone card in each clustered class within the number range has an abnormal aggregation behavior, thus, the call track curve of the mobile phone cards is subjected to cluster, and whether each mobile phone card in each cluster in each class within the number range has an abnormal aggregation behavior, and the abnormal aggregation behavior can be identified by the method in the embodiment, and the accuracy of identifying abnormal aggregation behavior can also be improved.
Based on the foregoing embodiment, referring to fig. 2, a flowchart of a method for identifying an abnormal aggregation behavior in the embodiment of the present application is shown, which specifically includes:
step 200: and acquiring a call ticket in the set area reported by the call management platform.
The call ticket includes at least one card number identifier corresponding to the mobile phone card, call time, and a base station identifier of a base station to which the mobile phone card belongs.
In the embodiment of the application, the mobile phone card is arranged in the mobile terminal, when the mobile terminal is in a call, a call ticket can be generated in the call management platform, then the call management platform reports the call ticket within a set range to the wind control platform, and then the wind control platform obtains the call ticket reported by the call management platform within the set area, wherein the call ticket comprises a card number identifier corresponding to at least one mobile phone card, call time and a base station identifier of a base station to which the mobile phone card belongs.
And the base station identification represents a number corresponding to the base station used by the mobile phone card during the call.
The call management platform may be, for example, an operator system.
The call time may be, for example, a call start time, a call end time, a call time period, and the like, which is not limited in the embodiment of the present application.
The mobile phone card may be, for example, a Subscriber Identity Module (SIM), which must be installed on the digital mobile terminal to use, and the SIM stores the information of the digital mobile phone Subscriber, the encrypted key, and the contents of the user's phone book.
The base station identifier may be, for example, a Location Area Code (LAC).
Further, after the call ticket in the set area is acquired from the call management platform, a call position time table may be further constructed, in which the card number identifier of the mobile phone card, the corresponding call time and the base station identifier are stored, as shown in table 1, which is the call position time table in the embodiment of the present application.
Table 1.
| Card number | Time | LAC |
| A | 2020/09/27 13:00:03 | 490 |
| B | 2020/09/27 15:20:31 | 187 |
| C | 2020/09/27 16:30:21 | 273 |
| A | 2020/09/27 17:50:31 | 887 |
| A | 2020/09/27 18:19:33 | 129 |
| C | 2020/09/27 18:20:51 | 386 |
Step 210: and respectively aiming at each mobile phone card, determining each conversation track point of the mobile phone card according to each conversation time and the corresponding base station identification recorded in the conversation ticket by any mobile phone card, and determining a conversation track curve of the mobile phone card in a set area according to each conversation track point.
In the embodiment of the application, for each mobile phone card, firstly, each call track point of the mobile phone card is determined according to each call time and corresponding base station identifier recorded in a call ticket of any one mobile phone card.
The communication track points represent the positions of the mobile phone cards during communication.
Specifically, when determining each piece of call track point information of the mobile phone card, the method specifically includes:
s1: and respectively determining the latitude and longitude information of the base station corresponding to the base station identification according to the base station identification recorded in the call ticket by any mobile phone card.
In the embodiment of the application, because the position of the base station is fixed, the longitude and latitude information of each base station, that is, the longitude and latitude information of the call of each mobile phone card, is inquired according to the base station identifier in each call information in each mobile phone card.
In addition, a communication longitude and latitude information table can be constructed, and the table is shown in table 2 and is a communication longitude and latitude information table in the embodiment of the application.
Table 2.
S2: and determining each call track point of the mobile phone card according to each call time and corresponding longitude and latitude information recorded in a call ticket of the mobile phone card.
In the implementation of the application, the call track point of the mobile phone card at each call time is determined according to each call time and the corresponding longitude and latitude information recorded in the call ticket of the mobile phone card.
Then, after determining each conversation track point of this cell-phone card, according to each conversation track point, confirm the conversation orbit curve of this cell-phone card, in this application embodiment, to the conversation orbit curve that confirms this cell-phone card provides a possible implementation mode, specifically includes:
and performing curve fitting on each call track point by adopting a least square method, and determining a call track curve of the mobile phone card in a set area.
In the embodiment of the present application, a fitting function least square method is used to perform curve fitting on each call track point, and a call track curve of the mobile phone card in a set area is determined, referring to fig. 3, which is a schematic diagram of the call track curve in the embodiment of the present application.
Step 220: and carrying out clustering analysis on each mobile phone card according to the call track curve of each mobile phone card to obtain each clustered class.
In the embodiment of the application, the call track curve of each mobile phone card is input into a trained clustering model, and clustering analysis is performed on each mobile phone card to obtain each clustered class.
The clustering model may be, for example, a hierarchical clustering method, which is not limited in the embodiment of the present application.
Taking a hierarchical clustering method as an example, the following steps of performing cluster analysis on each mobile phone card in the embodiment of the present application to obtain each clustered class are described in detail, and specifically include:
s1: and respectively selecting longitude and latitude information corresponding to each preset time point from the call track curve of any one mobile phone card as each sampling point of the mobile phone card aiming at each mobile phone card.
In the embodiment of the application, each preset time point, namely each preset call time, is selected from the call track curve of any one mobile phone card respectively for each mobile phone card, longitude and latitude information corresponding to each time point is obtained, and the selected longitude and latitude information is used as each sampling point of the mobile phone card.
For example, assume that the preset time point is 08 00, and at this time point, the longitude corresponding to the mobile phone card with the card number a is 108.51, the latitude is 29.07, and the longitude corresponding to the mobile phone card with the card number B is 108.31, and the latitude is 30.36, which is not limited in the embodiment of the present application.
In the sampling process, an integral time of 08-00-22.
Further, after obtaining each sampling point of each mobile phone card, an integer position table may be established, and each sampling point and the sampling time corresponding to each sampling point are filled in the integer position table, which is shown in table 3 and is an integer position table in the embodiment of the present application.
Table 3.
S2: and determining the distance value between each mobile phone card and each other mobile phone card according to each sampling point of each mobile phone card, taking each mobile phone card corresponding to the minimum distance value as a class, and taking each other mobile phone card as each class.
In the embodiment of the application, the distance value between each mobile phone card and each other mobile phone card is calculated according to each sampling point of each mobile phone card, the distance value between each mobile phone card and each other mobile phone card is obtained, the mobile phone cards corresponding to the minimum distance value are combined into one class, and the other mobile phone cards which are not combined are respectively used as each class.
In the following embodiment of the present application, the step of determining the distance value between each mobile phone card and each other mobile phone card according to each sampling point of each mobile phone card, and elaborating each mobile phone card corresponding to the minimum distance value as a class specifically includes:
and respectively aiming at each mobile phone card, determining each distance value between each sampling time and each other mobile phone card of the mobile phone card according to each sampling point corresponding to any mobile phone card, determining the average value of the distances between the mobile phone card and each other mobile phone card according to each determined distance value, and taking each calculated average value of the distances as the distance value between the mobile phone card and each other mobile phone card.
In the embodiment of the application, for each mobile phone card, first, each distance value between each sampling time and each other mobile phone card of any one mobile phone card is calculated.
For example, assuming that each mobile phone card is a card a, a card B, a card C, a card D, and a card E, respectively, a distance value between the card a and the card B at 08.
The distance value between card a and card B at 08:
wherein x1 and y1 are respectively the longitude and latitude of A, and x2 and y2 are respectively the longitude and latitude of B.
And then, after each distance value is obtained through calculation, calculating the average distance value between the mobile phone card and each other mobile phone card according to each determined distance value.
For example, after the distance value between each time point of the card a and the card B is obtained through calculation, the distance average value between each time point of the card a and the card B is obtained, and the distance average value between the card a and the card B in a range from 08:
table 4 is a schematic table showing the average distance between the mobile phone cards in the embodiment of the present application.
Table 4.
| Distance between two adjacent plates | A | B | C | D | E |
| A | 0.00 | - | - | - | - |
| B | 0.18 | 0.00 | - | - | - |
| C | 0.39 | 0.32 | 0.00 | - | - |
| D | 0.43 | 0.34 | 0.25 | 0.00 | - |
| E | 0.39 | 0.41 | 0.27 | 0.21 | 0.00 |
As can be seen from the respective distance averages obtained in table 4, the distance average d (a, B) =0.18 between the cards a and B is the smallest, and therefore, the cards a and B are merged and grouped into one type, and the category is obtained: and a card AB.
S3: pre-combining two classes in each class obtained currently, respectively calculating distance values between the pre-combined class and other classes according to each sampling point of each mobile phone card, taking the pre-combined class corresponding to the minimum distance value as each class obtained next time until a preset number of classes is obtained, and taking the obtained preset number of classes as each class of final clustering.
In the embodiment of the application, firstly, every two classes in each class obtained currently are pre-merged, and the distance values between the pre-merged class and each other class are respectively calculated according to each sampling point of each mobile phone card.
For example, assuming that the cards a and B are one type, the cards C are one type, the cards D are one type, and the cards E are one type, the cards AB and C are precombined, and a distance value between the cards AB and C is calculated, the cards AB and D are precombined, and a distance value between the cards AB and D is calculated, the cards AB and E are precombined, and a distance value between the cards AB and E is calculated, the cards C and D are precombined, and a distance value between the cards C and D is calculated, the cards D and E are precombined, and a distance value between the cards D and E is calculated, which can be expressed as, for example:
d(AB,C)=avg(d(A,C),d(B,C))=0.355
d(AB,D)=avg(d(A,D),d(B,D))=0.385
d(AB,E)=avg(d(A,E),d(B,E))=0.4
referring to table 5, a table of distance values in the embodiment of the present application is shown.
Table 5.
| Distance between two adjacent plates | A | C | D | E |
| AB | 0.00 | - | - | - |
| C | 0.355 | 0.00 | - | - |
| D | 0.385 | 0.25 | 0.00 | - |
| E | 0.4 | 0.27 | 0.21 | 0.00 |
Then, the pre-merged classes corresponding to the minimum distance value are used as each class obtained next time until the preset number of classes are obtained.
For example, as can be seen from table 5, the distance value D (D, E) =0.21 min between the cards D and E, and therefore, the cards D and E are merged and aggregated into one class, and then the distance values between the cards DE and the cards AB and C are calculated, the process is similar to the foregoing steps until they are finally merged into one class ABCDE, and fig. 4 is a schematic diagram illustrating the effect of clustering the mobile phone cards in the embodiment of the present application.
Step 230: judging whether the number of the mobile phone cards contained in each clustered class is within a preset number range, and determining that each mobile phone card has abnormal aggregation behavior in the classes within the number range.
In the embodiment of the application, whether the number of the mobile phone cards in each clustered class is within a preset number range or not is judged, the class of the mobile phone cards of which the number is within the preset number range is selected from each clustered class, and then abnormal aggregation behaviors of the mobile phone cards in the classes of which the number is within the preset number range are determined.
For example, the illegal persons are generally deployed by using GOIP devices, the card slots of such devices have multiple specifications, and the number of the card slots generally has 32, 64, 128, 256, and the like, so that the category of the number of the mobile phone cards obtained in the clustering process from 32 to 256 is output and judged as a GOIP location aggregation category.
Further, in the clustering process, whether the number of the mobile phone cards included in each of the clustered classes is within a preset number range can be judged in real time, once whether the number of the mobile phone cards included in one of the clustered classes is within the preset number range is judged, the clustering is stopped, and each mobile phone card in the class in which the number of the mobile phone cards is within the preset number range is judged to have abnormal clustering behavior.
In the embodiment of the application, a call ticket in a set area reported by a call management platform is obtained, the call ticket comprises a card number identifier corresponding to at least one mobile phone card, call time and a base station identifier of a base station to which the mobile phone card belongs, each call track point of the mobile phone card is determined according to each call time and the corresponding base station identifier recorded in the call ticket by any one mobile phone card, a call track curve of the mobile phone card in the set area is determined according to each call track point, cluster analysis is performed on each mobile phone card according to the call track curve of each mobile phone card, each cluster is obtained, whether the number of the mobile phone cards contained in each cluster is within a preset number range is judged, abnormal cluster behaviors of each mobile phone card occur in the classes within the number range is judged, and thus, a curve is fitted based on the geographic features of the mobile phone cards to determine the call track curve of each mobile phone card, abnormal position cluster behaviors based on a vehicle-mounted cloud phone technology can be well discovered, and fraud behaviors based on GOIP equipment can be rapidly discovered.
Based on the above embodiment, the method for identifying abnormal aggregation behavior in the embodiment of the present application is described in detail below by taking a mobile phone card as an example of the card a, the card B, the card C, the card D, and the card E, and referring to fig. 5, another flowchart of the method for identifying abnormal aggregation behavior in the embodiment of the present application specifically includes:
step 500: and obtaining call tickets of the card A, the card B, the card C, the card D and the card E.
The call ticket includes card number identifiers corresponding to the mobile phone cards of the card a, the card B, the card C, the card D and the card E, call time and a base station identifier of a base station to which the mobile phone card belongs.
Step 510: and determining each call track point of the card A, the card B, the card C, the card D and the card E, and determining a call track curve of the card A, the card B, the card C, the card D and the card E according to each call track point.
Step 520: and according to the call track curves of the card A, the card B, the card C, the card D and the card E, performing clustering analysis on each mobile phone card to obtain each clustered class.
Step 530: and judging whether the number of the mobile phone cards contained in each clustered class is within a preset number range or not, and determining that each mobile phone card has abnormal clustering behaviors in the classes of which the number of the mobile phone cards is within the preset number range.
In the embodiment of the application, the position aggregation behavior based on the GOIP equipment can be found through the method, and both the fixed position and the vehicle-mounted cloud phone can be found through one model, so that the identification of the abnormal aggregation behavior with unfixed position information, namely the vehicle-mounted cloud phone, is realized.
Based on the same inventive concept, the embodiment of the present application further provides a device for identifying an abnormal aggregation behavior, where the device for identifying an abnormal aggregation behavior may be a hardware structure, a software module, or a hardware structure plus a software module. Based on the above embodiment, referring to fig. 6, a schematic structural diagram of an apparatus for identifying abnormal aggregation behavior in the embodiment of the present application is shown, which specifically includes:
an obtaining module 600, configured to obtain a call ticket in a set area reported by a call management platform, where the call ticket includes a card number identifier corresponding to at least one mobile phone card, a call time, and a base station identifier of a base station to which the mobile phone card belongs;
a determining module 610, configured to determine, for each mobile phone card, each call trace point of the mobile phone card according to each call time and a corresponding base station identifier recorded in the call ticket of any mobile phone card, and determine, according to each call trace point, a call trace curve of the mobile phone card in the set area;
a clustering module 620, configured to perform clustering analysis on the mobile phone cards according to the call track curve of each mobile phone card, so as to obtain each clustered class;
the identifying module 630 is configured to determine whether the number of the mobile phone cards included in each clustered class is within a preset number range, and determine that each mobile phone card has an abnormal aggregation behavior in the class within the number range.
Optionally, when determining each call trace point of the mobile phone card according to each call time and corresponding base station identifier recorded in the call ticket of each base station by any mobile phone card, the determining module 610 is specifically configured to:
respectively determining the longitude and latitude information of a base station corresponding to the base station identification according to the base station identification recorded in the call ticket by any mobile phone card;
and determining each call track point of the mobile phone card according to each call time and corresponding longitude and latitude information recorded in the call ticket by the mobile phone card.
Optionally, when determining a call track curve of the mobile phone card in the set area according to the call track points, the determining module 610 is specifically configured to:
and performing curve fitting on each call track point by adopting a least square method, and determining a call track curve of the mobile phone card in the set area.
Optionally, when performing cluster analysis on each mobile phone card to obtain each clustered class, the clustering module 620 is specifically configured to:
selecting longitude and latitude information corresponding to each preset time point from a call track curve of any one mobile phone card as each sampling point of the mobile phone card respectively aiming at each mobile phone card;
determining distance values between each mobile phone card and other mobile phone cards according to each sampling point of each mobile phone card, taking each mobile phone card corresponding to the minimum distance value as a class, and taking other mobile phone cards as each class respectively;
pre-combining two classes in each class obtained currently, respectively calculating the distance value between the pre-combined class and each other class according to each sampling point of each mobile phone card, taking the pre-combined class corresponding to the minimum distance value as each class obtained next time until a preset number of classes is obtained, and taking the obtained preset number of classes as each class of final clustering.
Optionally, when a distance value between each mobile phone card and each other mobile phone card is determined according to each sampling point of each mobile phone card, and each mobile phone card corresponding to the minimum distance value is taken as a class, the clustering module 620 is specifically configured to:
and respectively aiming at each mobile phone card, determining each distance value between each sampling time and each other mobile phone card of the mobile phone card according to each sampling point corresponding to any mobile phone card, determining the average value of the distances between the mobile phone card and each other mobile phone card according to each determined distance value, and taking each calculated average value of the distances as the distance value between the mobile phone card and each other mobile phone card.
Based on the above embodiments, referring to fig. 7, a schematic structural diagram of an electronic device in an embodiment of the present application is shown.
Embodiments of the present disclosure provide an electronic device, which may include a processor 710 (CPU), a memory 720, an input device 730, an output device 740, and the like, wherein the input device 730 may include a keyboard, a mouse, a touch screen, and the like, and the output device 740 may include a Display device, such as a Liquid Crystal Display (LCD), a Cathode Ray Tube (CRT), and the like.
The processor 710 is configured to execute any method for identifying the behavior of the anomaly cluster according to the embodiment of the present application by calling the program instructions stored in the memory 720 and the processor 710 is configured to execute the method according to the obtained program instructions.
Based on the above embodiments, in the embodiments of the present application, a computer-readable storage medium is provided, on which a computer program is stored, and the computer program, when executed by a processor, implements the method for identifying abnormal aggregation behavior in any of the above method embodiments.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the spirit and scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is intended to include such modifications and variations as well.
Claims (8)
1. A method of identifying anomalous aggregate behavior comprising:
acquiring a call ticket in a set area reported by a call management platform, wherein the call ticket comprises a card number identifier corresponding to at least one mobile phone card, call time and a base station identifier of a base station to which the mobile phone card belongs;
respectively aiming at each mobile phone card, determining each call track point of the mobile phone card according to each call time recorded in the call ticket by any mobile phone card and the corresponding base station identifier, and determining a call track curve of the mobile phone card in the set area according to each call track point;
according to the call track curve of each mobile phone card, performing cluster analysis on each mobile phone card to obtain each clustered class;
judging whether the number of the mobile phone cards in each clustered class is within a preset number range or not, and determining that each mobile phone card has abnormal aggregation behavior in the classes within the number range;
performing cluster analysis on the mobile phone cards to obtain clustered classes, specifically comprising:
selecting longitude and latitude information corresponding to each preset time point from a call track curve of any one mobile phone card as each sampling point of the mobile phone card respectively aiming at each mobile phone card;
determining distance values between each mobile phone card and other mobile phone cards according to each sampling point of each mobile phone card, taking each mobile phone card corresponding to the minimum distance value as a class, and taking other mobile phone cards as each class respectively;
pre-merging two classes in each class obtained currently, respectively calculating the distance value between the pre-merged class and other classes according to each sampling point of each mobile phone card, taking the pre-merged class corresponding to the minimum distance value as each class obtained next time until a preset number of classes are obtained, and taking the obtained preset number of classes as each class of final clustering.
2. The method according to claim 1, wherein determining each call track point of any one mobile phone card according to each call time and corresponding base station identifier recorded in the call ticket of each base station, specifically comprises:
respectively determining the longitude and latitude information of a base station corresponding to the base station identification according to the base station identification recorded in the call ticket by any mobile phone card;
and determining each call track point of the mobile phone card according to each call time and corresponding longitude and latitude information recorded in the call ticket by the mobile phone card.
3. The method according to claim 1, wherein determining a call trajectory curve of the mobile phone card in the set area according to the call trajectory points specifically includes:
and performing curve fitting on each call track point by adopting a least square method, and determining a call track curve of the mobile phone card in the set area.
4. The method according to claim 1, wherein the determining distance values between each mobile phone card and other mobile phone cards according to the sampling points of each mobile phone card and regarding each mobile phone card corresponding to the minimum distance value as a class specifically comprises:
and respectively aiming at each mobile phone card, determining each distance value between each sampling time and each other mobile phone card of the mobile phone card according to each sampling point corresponding to any mobile phone card, determining the average value of the distances between the mobile phone card and each other mobile phone card according to each determined distance value, and taking each calculated average value of the distances as the distance value between the mobile phone card and each other mobile phone card.
5. An apparatus for identifying anomalous clustering behavior, comprising:
the system comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for acquiring a call ticket in a set area reported by a call management platform, and the call ticket comprises a card number identifier corresponding to at least one mobile phone card, call time and a base station identifier of a base station to which the mobile phone card belongs;
the determining module is used for determining each call track point of the mobile phone card according to each call time and corresponding base station identification recorded in the call ticket of any mobile phone card aiming at each mobile phone card respectively, and determining a call track curve of the mobile phone card in the set area according to each call track point;
the clustering module is used for carrying out clustering analysis on each mobile phone card according to the call track curve of each mobile phone card to obtain each clustered class;
the identification module is used for judging whether the number of the mobile phone cards contained in each clustered class is within a preset number range or not, and determining that abnormal clustering behaviors of the mobile phone cards occur in the classes within the number range;
wherein, carry on the clustering analysis to each stated mobile phone card, when obtaining each after clustering, the clustering module is used for specifically:
selecting longitude and latitude information corresponding to each preset time point from a call track curve of any one mobile phone card as each sampling point of the mobile phone card respectively aiming at each mobile phone card;
determining distance values between each mobile phone card and other mobile phone cards according to each sampling point of each mobile phone card, taking each mobile phone card corresponding to the minimum distance value as a class, and taking other mobile phone cards as each class respectively;
pre-merging two classes in each class obtained currently, respectively calculating the distance value between the pre-merged class and other classes according to each sampling point of each mobile phone card, taking the pre-merged class corresponding to the minimum distance value as each class obtained next time until a preset number of classes are obtained, and taking the obtained preset number of classes as each class of final clustering.
6. The apparatus according to claim 5, wherein when determining the call trajectory curve of the mobile phone card in the set area according to the call trajectory points, the determining module is specifically configured to:
and performing curve fitting on each call track point by adopting a least square method, and determining a call track curve of the mobile phone card in the set area.
7. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the steps of the method according to any of claims 1-4 are implemented when the processor executes the program.
8. A computer-readable storage medium having stored thereon a computer program, characterized in that: the computer program when being executed by a processor realizes the steps of the method of any one of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011614290.0A CN112866192B (en) | 2020-12-30 | 2020-12-30 | Method and device for identifying abnormal aggregation behaviors |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011614290.0A CN112866192B (en) | 2020-12-30 | 2020-12-30 | Method and device for identifying abnormal aggregation behaviors |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112866192A CN112866192A (en) | 2021-05-28 |
| CN112866192B true CN112866192B (en) | 2022-11-04 |
Family
ID=75998667
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011614290.0A Active CN112866192B (en) | 2020-12-30 | 2020-12-30 | Method and device for identifying abnormal aggregation behaviors |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112866192B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113256405B (en) * | 2021-06-22 | 2021-10-12 | 平安科技(深圳)有限公司 | Method, device, equipment and storage medium for predicting cheating user concentrated area |
| CN114461932B (en) * | 2021-12-24 | 2022-10-11 | 北京融信数联科技有限公司 | User behavior specificity capturing method and system and readable storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110856115A (en) * | 2019-11-28 | 2020-02-28 | 北京明略软件系统有限公司 | Identification method and identification device for fraud organization offence area and electronic equipment |
| CN111093156A (en) * | 2019-11-29 | 2020-05-01 | 中国联合网络通信集团有限公司 | Pseudo base station position locating method, device and storage medium |
| CN111741472A (en) * | 2020-08-07 | 2020-10-02 | 北京微智信业科技有限公司 | GoIP fraud telephone identification method, system, medium and equipment |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8737962B2 (en) * | 2012-07-24 | 2014-05-27 | Twilio, Inc. | Method and system for preventing illicit use of a telephony platform |
-
2020
- 2020-12-30 CN CN202011614290.0A patent/CN112866192B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110856115A (en) * | 2019-11-28 | 2020-02-28 | 北京明略软件系统有限公司 | Identification method and identification device for fraud organization offence area and electronic equipment |
| CN111093156A (en) * | 2019-11-29 | 2020-05-01 | 中国联合网络通信集团有限公司 | Pseudo base station position locating method, device and storage medium |
| CN111741472A (en) * | 2020-08-07 | 2020-10-02 | 北京微智信业科技有限公司 | GoIP fraud telephone identification method, system, medium and equipment |
Non-Patent Citations (1)
| Title |
|---|
| 电信网络诈骗犯罪信息调查研究;谢玲;《中国人民公安大学学报( 自然科学版)》;20200331(第105期);第85-93页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112866192A (en) | 2021-05-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9305110B2 (en) | Method and arrangement for supporting analysis of social networks in a communication network | |
| CN112866192B (en) | Method and device for identifying abnormal aggregation behaviors | |
| CN102413169A (en) | Cloud address list establishing and maintenance method and system thereof | |
| US10064044B2 (en) | Method and apparatus for determining roaming status of terminal, terminal, and server | |
| CN108513301B (en) | Illegal user identification method and device | |
| CN109041064B (en) | Pseudo base station identification method and device and mobile terminal | |
| CN113727352A (en) | Managing spoofed calls to mobile devices | |
| CN110611929A (en) | Abnormal user identification method and device | |
| CN108600945A (en) | Identify method, apparatus, equipment and the storage medium of double-terminal smart card | |
| CN109150864B (en) | Anti-cheating method and device based on secondary authentication | |
| CN108696873B (en) | False user identification method and device | |
| CN110536302A (en) | Telecommunication fraud based reminding method and device | |
| CN107705126B (en) | Transaction instruction processing method and device | |
| US20230362300A1 (en) | Spoofed telephone call identifier | |
| CN102256255A (en) | Detection method for parallel-used-card proof based on time and geographic location collisions | |
| CN107071778A (en) | Pseudo-base station recognition methods and data analysing method | |
| CN108601098B (en) | Network system identification method and device of dual-card terminal | |
| CN109121137B (en) | Method and device for identifying user number use type of double-card terminal | |
| US11395129B2 (en) | Virtual sim card acquisition method, subscriber terminal and server | |
| CN108513303A (en) | The abnormality monitoring method and device of jack per line terminal | |
| CN114168423A (en) | Abnormal number calling monitoring method, device, equipment and storage medium | |
| CN112307075B (en) | User relationship identification method and device | |
| CN109600744B (en) | Voice processing method and system | |
| CN108235268B (en) | Method and device for acquiring use times of IMEI (international mobile equipment identity) of call terminal | |
| CN112004228A (en) | Real person authentication method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |